eBay: How not to handle a security breach

eBay is not the only firm to have suffered at the hands of hackers, and nor is the breach the worst financially or by the amount and type of data that was compromised. But what made this incident stick out from the norm was eBay's shoddy handling of the whole thing.

Rather than send out an email alerting its users to the fact their sensitive data might have been exposed, and encouraging them to change their passwords as quickly as possible to prevent further breaches, eBay has pretty much tried to keep this quiet, no doubt in the hope that many users won't even realise a breach happened.

As of Thursday, eBay had posted a message labeled "Important: Password update" at the top of its website, with a line underneath asking eBay users to reset their passwords. However, this just read as a standard security message, with no specific detail around the attack or warning that user information had been accessed. You were then invited to click through to "learn more".

Anyone doing so was treated to a message from Devin Wenig, president of eBay Marketplaces, who made brief reference to "a cyberattack that compromised our eBay user database, which contained your encrypted password".

Still, according to Wenig there was no real reason for urgency. He casually suggested that users take a moment to change their password, the next time they visit eBay - so no real rush here then, Devin?

When I visited eBay on Thursday due to concern around the hack, I was amazed by the lack of information, apology and urgency. Clicking on the "learn more" link on the homepage took me to the plain text message from Wenig, with no link through to where you could change your password and no way to navigate back to the website.

Instead, Wenig advised me that I could change my password via "the 'My eBay' section under account settings". He said, "This will help further protect you; it's always a good practice to periodically update your password. Millions of eBay users already have updated their passwords." Again, the inference here is that this advice is part of a generic security message rather than a specific attack. And the other major issue being you can't change your password via the "My eBay" section, you have to log in and click on your name, then click account settings, then click on "personal information" in the left-hand menu, and then locate password in the long list of items to edit.

So great customer service there from eBay: not only does it not know how its own website and security settings work, the auction website left millions of customers to work out the convoluted password-change process for themselves the day after it reported a major breach.

Wenig and his employer clearly cottoned on to the fact that not everyone is happy with how it has handled the process, no doubt spurred on by coverage about the password breach debacle, and by Friday morning the advice had been updated.

On visiting the eBay homepage, the same message was at the top of the website, but this was joined by a "Reset your password" blue button that took you straight to the page to enter your email address to start the process - although there was still no apology or clear explanation on the front page as to why I'd want to do this. Wenig had also updated his advice, removing the erroneous advice about visiting "My eBay", and instead adding a link at the top of the article to the password reset page.

However, by late Friday afternoon, all this advice had disappeared from the eBay website, leaving users who hadn't visited since Wednesday with no warning or alert to change their passwords, unless they happen to keep up with technology news. And if they have been keeping up with the news, they'll have no doubt been panicking over reports surfacing across the web that eBay customer details are available for sale, and trying to work out whether this could include their personal details or it's all just a fake offer.

Before it disappeared from the website, Wenig concluded his message by telling visitors, "Our team is committed to making eBay as safe and secure as possible. We are looking at other ways to strengthen security on eBay. In the coming days and weeks we may be introducing new security features. We’ll keep you updated as we do."

However, the handling of this incident doesn't really show much commitment to making the website "as safe and secure as possible". The very least I'd have expected from eBay as a customer is a clear email on Wednesday - or preferably two weeks ago, when the firm first detected the breach - warning me of the attack and how it might affect me. eBay should also be communicating more clearly with its users, partners and investors about progress it's making around identifying how the breach occurred and what the fallout will be; instead there's been no update since Wednesday.

Making me do all the work to change my password, failing to send out the promised password reset emails and then battening down the hatches with no word to the outside world is a great example of how not to respond to a security breach. Other organisations should note down the steps eBay has taken - and then do the exact opposite if they're ever in a similar unfortunate situation. µ